aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/libcharon/sa/ikev1/tasks/aggressive_mode.c50
-rwxr-xr-xsrc/libcharon/sa/ikev1/tasks/main_mode.c47
-rwxr-xr-xsrc/libcharon/sa/ikev1/tasks/xauth.c23
3 files changed, 95 insertions, 25 deletions
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 1fe36a9d5..b89b71b4c 100755
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -95,8 +95,14 @@ struct private_aggressive_mode_t {
/**
* Set IKE_SA to established state
*/
-static void establish(private_aggressive_mode_t *this)
+static bool establish(private_aggressive_mode_t *this)
{
+ if (!charon->bus->authorize(charon->bus, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ return FALSE;
+ }
+
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
@@ -107,6 +113,8 @@ static void establish(private_aggressive_mode_t *this)
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+ return TRUE;
}
/**
@@ -278,28 +286,31 @@ METHOD(task_t, build_i, status_t,
}
this->id_data = chunk_empty;
- if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
- {
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
- }
-
switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
/* wait for XAUTH request */
- return SUCCESS;
+ break;
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
/* TODO-IKEv1: not yet */
return FAILED;
default:
- establish(this);
- return SUCCESS;
+ if (!establish(this))
+ {
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+ break;
}
+ if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE));
+ }
+ return SUCCESS;
}
default:
return FAILED;
@@ -405,6 +416,13 @@ METHOD(task_t, process_r, status_t,
}
this->id_data = chunk_empty;
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
+ "IKE_SA, cancelling");
+ return send_delete(this);
+ }
+
switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
@@ -419,7 +437,10 @@ METHOD(task_t, process_r, status_t,
/* TODO-IKEv1: not yet supported */
return FAILED;
default:
- establish(this);
+ if (!establish(this))
+ {
+ return send_delete(this);
+ }
lib->processor->queue_job(lib->processor, (job_t*)
adopt_children_job_create(
this->ike_sa->get_id(this->ike_sa)));
@@ -557,6 +578,13 @@ METHOD(task_t, process_i, status_t,
{
return send_notify(this, AUTHENTICATION_FAILED);
}
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
+ "cancelling");
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+
return NEED_MORE;
}
return FAILED;
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index ba1a9ad1d..c1a61cede 100755
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -95,8 +95,14 @@ struct private_main_mode_t {
/**
* Set IKE_SA to established state
*/
-static void establish(private_main_mode_t *this)
+static bool establish(private_main_mode_t *this)
{
+ if (!charon->bus->authorize(charon->bus, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ return FALSE;
+ }
+
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
@@ -107,6 +113,8 @@ static void establish(private_main_mode_t *this)
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+ return TRUE;
}
/**
@@ -406,6 +414,13 @@ METHOD(task_t, process_r, status_t,
{
return send_notify(this, AUTHENTICATION_FAILED);
}
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+ "cancelling");
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+
this->state = MM_AUTH;
if (has_notify_errors(this, message))
{
@@ -467,6 +482,7 @@ METHOD(task_t, build_r, status_t,
{
return send_notify(this, AUTHENTICATION_FAILED);
}
+
switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
@@ -481,7 +497,10 @@ METHOD(task_t, build_r, status_t,
/* TODO-IKEv1: not yet supported */
return FAILED;
default:
- establish(this);
+ if (!establish(this))
+ {
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
lib->processor->queue_job(lib->processor, (job_t*)
adopt_children_job_create(
this->ike_sa->get_id(this->ike_sa)));
@@ -577,29 +596,37 @@ METHOD(task_t, process_i, status_t,
{
return send_delete(this);
}
-
- if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+ if (!charon->bus->authorize(charon->bus, FALSE))
{
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
+ DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+ "cancelling");
+ return send_delete(this);
}
-
switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
/* wait for XAUTH request */
- return SUCCESS;
+ break;
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
/* TODO-IKEv1: not yet */
return FAILED;
default:
- establish(this);
- return SUCCESS;
+ if (!establish(this))
+ {
+ return send_delete(this);
+ }
+ break;
+ }
+ if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE));
}
+ return SUCCESS;
}
default:
return FAILED;
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index e836bed16..aa79811f7 100755
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -140,8 +140,19 @@ static xauth_method_t *load_method(private_xauth_t* this)
/**
* Set IKE_SA to established state
*/
-static void establish(private_xauth_t *this)
+static bool establish(private_xauth_t *this)
{
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling");
+ return FALSE;
+ }
+ if (!charon->bus->authorize(charon->bus, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ return FALSE;
+ }
+
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
@@ -152,6 +163,8 @@ static void establish(private_xauth_t *this)
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+ return TRUE;
}
METHOD(task_t, build_i_status, status_t,
@@ -210,9 +223,8 @@ METHOD(task_t, build_r_ack, status_t,
message->add_payload(message, (payload_t *)cp);
- if (this->status == XAUTH_OK)
+ if (this->status == XAUTH_OK && establish(this))
{
- establish(this);
lib->processor->queue_job(lib->processor, (job_t*)
adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
return SUCCESS;
@@ -311,7 +323,10 @@ METHOD(task_t, process_i_status, status_t,
DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
return FAILED;
}
- establish(this);
+ if (!establish(this))
+ {
+ return FAILED;
+ }
this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
return SUCCESS;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-15 14:44:59 +0000